username and password authorization method

Bug #727879 reported by Raimon Esteve (www.zikzakmedia.com) on 2011-03-02
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
RPC4Django
Undecided
davidfischer

Bug Description

Hello,
If use a authorization method, don't check user and return Anonymous user

For example:
proxy = xmlrpclib.ServerProxy("http://prova:prova@localhost:8443/xmlrpc") #rpc4django

in rpc4django views.py getattr(request, 'user', None) return always Anonymous

One solution is next code: validate username and password URI

    response = True

    user = getattr(request, 'user', None)
    #authorization
    if 'HTTP_AUTHORIZATION' in request.META:
        auth = request.META['HTTP_AUTHORIZATION'].split()
        if not len(auth) == 2:
            logging.debug('HTTP Authorization is NOT authorized')
            response = False
        if not auth[0].lower() == "basic":
            logging.debug('HTTP Authorization is NOT authorized')
            response = False

        uname, passwd = base64.b64decode(auth[1]).split(':')
        user = authenticate(username=uname,password=passwd)

davidfischer (djfische) on 2011-03-03
Changed in rpc4django:
assignee: nobody → davidfischer (djfische)
davidfischer (djfische) wrote :

This is by design.

When using authentication, you must either setup your webserver to use HTTP basic authentication or you must use the out of the box authentication. See the docs (http://packages.python.org/rpc4django/usage/auth.html) for details.

When using HTTP authentication, you should be using the RemoteUserMiddleware to do the password checking automatically. If using the out of the box authentication, you should use the system.login() method.

Changed in rpc4django:
status: New → Won't Fix
davidfischer (djfische) wrote :

If you want to see this in action, you can visit: https://rpcauth.davidfischer.name
There are two logins:
 - user: rpcnoauth with password: rpcnoauth - this user cannot call the secret method
 - user: rpc4django with password: rpc4django - this user can call the secret method

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers